UNC5537

UNC5537 is a financially motivated threat actor tracked by Mandiant and associated with the 2024 Snowflake customer compromises. Mandiant attributed the campaign to UNC5537 and reported that the activity affected roughly 165 Snowflake customer organizations. The actor used stolen credentials obtained from infostealer malware infections to access Snowflake customer environments, with the absence of enforced MFA repeatedly cited as a key enabling factor. Reported infostealers associated with exposed credentials include VIDAR, REDLINE, LUMMA, RISEPRO, RACOON STEALER, and METASTEALER. The group’s activity involved logging into Snowflake customer tenants with valid credentials, often via SnowSight and the SnowSQL CLI, then conducting reconnaissance and large-scale data theft followed by extortion. Mandiant observed UNC5537 using the publicly available database management utility DBeaver Ultimate to connect to and run queries across Snowflake instances. Mandiant also tracked an attacker-named utility, “rapeflake,” as FROSTBITE; observed .NET and Java variants were assessed to perform SQL-based reconnaissance such as enumerating users, roles, IPs, session IDs, and organization names. The campaign was described as relying on customer-side security gaps rather than a Snowflake software vulnerability, specifically missing MFA, unrotated credentials, and lack of network allow-listing. The actor extracted large volumes of sensitive data and extorted victims after exfiltration. Publicly identified victims in the provided content include Ticketmaster, AT&T, Santander, Advance Auto Parts, Neiman Marcus, LendingTree/QuoteWizard, Los Angeles Unified School District, and Pure Storage. The content states that some of the stolen data was later distributed by ShinyHunters, and multiple sources discuss UNC5537 in relation to ShinyHunters. One source describes broader cluster evolution involving UNC5537, UNC6040, UNC6395, and UNC6661 within a ShinyHunters profile, but the provided content does not establish these as formal aliases of UNC5537. Reported pseudonyms used by the actor include “Judische” and “Waifu.” Mandiant reportedly assessed members to be based in North America and Turkey.